Description

In SPIRE, the default JWT-SVID TTL is 5 minutes (source; default_jwt_svid_ttl). This corresponds to the default max value that we have in FederatedJWTClientValidator.

However, it is not uncommon for this do be higher in the real-world deployments. For example, SPIRE Helm chart sets that to 1h. Therefore, a valid JWT-SVID would fail validation unless you explicitly lower the TTL via Helm values.

Consider the following options:

• set the default max TTL to 3600 in FederatedJWTClientValidator;
• call validator.setMaximumExpirationTime(3600) from SpiffeIdentityProvider (similar to KubernetesIdentityProvider);
• make this configurable via the Admin UI.

Value Proposition

Using the official Helm chart is a common way to deploy SPIRE. By allowing higher default maximum JWT-SVID TTLs, we will improve interoperability with the real-world SPIFFE/SPIRE deployments.

Goals

Increase the default maximum JWT-SVID TTL for better interoperability with the real-world SPIFFE/SPIRE deployments

Non-Goals

—

Discussion

No response

Notes

No response